Leaked DHS memo accused drone maker DJI of spying for China

A DHS-issued memo meant for law enforcement tossed around words such as “most likely”, “moderate confidence” and “high confidence” when accusing popular drone manufacturer DJI of spying for China.

The bulletin (pdf), written in August by the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE), was leaked last week. In it, SIP Los Angeles claims to have “moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government.” It has “high confidence” that DJI “is selectively targeting government and privately-owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.”

That is just the beginning of the accusations which eventually include how using the data collected by the UAVs could help the Chinese, other foreign governments, or even terrorist groups to organize physical or cyber attacks against critical infrastructure.

Citing “open source reporting and a reliable source within the unmanned aerial systems industry with first and secondhand access,” ICE claimed to have “high confidence” that DJI is targeting potential new customers based on the customer’s “ability to disrupt critical infrastructure;” examples included railroads, power utilities, utilities which provide drinking water and plants where munition and weapon materials are stored.

It goes on to suggest that the Chinese government is “likely” using the information from DJI drones to “target assets they are planning to purchase.”

The memo explained that DJI’s drones under five pounds use two Android apps, DJI GO and Sky Pixels, which “automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access users’ phone data.”

The apps also “capture user identification, e-mail addresses, full names, phone numbers, images, videos, and computer credentials. Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction.”

According to ICE’s source, “DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access.”

SIP Los Angeles assesses with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.

The intelligence memo also claims SIP has “high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population. Alternatively, China could provide DJI information to terrorist organizations, hostile non-state entities, or state-sponsored groups to coordinate attacks against U.S. critical infrastructure.”

DJI’s response

DJI didn’t mince words when the company issued a statement on the ICE bulletin which was “based on clearly false and misleading claims from an unidentified source.”

DJI provided ICE with a rebuttal outlining the “deeply flawed” conclusions in the memo. The company said it told ICE that “the source of the allegations may have had a competitive or improper motive to interfere” by “making the false allegations.”

It goes on to point out “obviously false” allegations such as being able to snag facial recognition even when the drone is powered off; its Local Data Mode means there is no internet traffic to and from the flight control app.

DJI added, “The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions.”

Nevertheless, this is the second time in less than a month that DJI is facing a PR nightmare.

ICE’s bulletin was issued shortly after the U.S. Army decided to stop using DJI drones due to “cybersecurity concerns.” Shortly thereafter, DJI rushed to launch a bug bounty program. However, security researcher Kevin Finisterre revealed in November that he had “walked away” from a $30,000 bounty payout (pdf) as he said the company changed the scope of the never-clearly-defined bounty program and went so far as to threaten him with charges under the Computer Fraud and Abuse Act (CFAA).